Ontario audit exposes AI governance failures that mirror private-sector HR challenges
Ontario's Auditor General released a special report on May 12 that found thousands of civil servants routinely uploading sensitive data to unsanctioned AI tools on government devices, with minimal security oversight and almost no training. The findings offer HR leaders across sectors an uncomfortable mirror of their own organizations.
The audit examined how the Ontario Public Service - roughly 55,000 employees - procured, deployed, and used AI systems between January and November 2025. What it uncovered was an organization racing to adopt AI while governance, training, and risk controls fell dangerously behind.
The training problem
Just 1,800 of 55,000 OPS staff - three per cent - had completed the Ministry's Responsible Use of AI training course by August 2025. The course, launched in January 2024, covers safe AI website use and the risks of uploading sensitive data to unsecured platforms. It is not mandatory.
Between April and August 2025, roughly 12,000 OPS employees accessed approximately 400 AI-related websites on government devices. Around 60 per cent of those sites - 244 of them - were rated unsafe or unsecured by Microsoft's Defender cybersecurity tool, scoring five or lower out of ten. Fifteen per cent of the low-scoring sites also featured non-work content.
Microsoft Copilot Chat, the one OPS-approved generative AI tool operating in a secure, data-protected environment, accounted for just six per cent of staff's overall AI usage. Unsanctioned alternatives made up the remaining 94 per cent.
This pattern is familiar to HR professionals across Canadian organizations. Employees are adopting AI tools faster than their employers can establish guidance, policy, or safeguards.
When adoption outpaces policy
Staff likely bypassed the approved tool because it was easier, more familiar, or appeared more capable than the sanctioned alternative. The government set no adoption targets for Copilot Chat, shared no usage metrics with senior stakeholders, and took no action to understand why uptake remained low.
A second vulnerability emerged when staff accessed Copilot Chat through non-default browsers like Google Chrome or Mozilla Firefox. The tool's Enterprise Data Protection feature - designed to prevent sensitive data from training external AI models - was automatically bypassed. The Ministry did not restrict browser usage or communicate this risk through training.
The Auditor General benchmarked the OPS's AI strategy against other Canadian and international public-sector organizations and found significant gaps. The strategy lacked specific actionable items, had no clear plan to prioritize AI use across ministry areas, and did not identify prohibited AI practices or areas where the technology posed unacceptable risk.
Employers without oversight of employee AI use face the same strategic blind spots. Without formal policies, monitoring, and training, organizations expose themselves to data liability, reputational damage, and loss of control over sensitive information.
Procurement risks compound the problem
The audit also examined how the OPS procured AI Scribe systems - tools used by family doctors and health-care professionals to transcribe patient notes. Evaluators found inaccuracies in notes generated by most approved vendors, including incorrect information, AI hallucinations, and incomplete documentation.
Eleven of 20 approved vendors had not submitted third-party audit reports, security organization controls certifications, or international security standards documentation. Five vendors had not submitted required threat risk assessments or privacy impact assessments. All were approved anyway.
What HR leaders should take from this
The Ontario report shows what happens when employees are enthusiastic about AI but their organization's governance framework has not caught up. Understanding why HR must be involved in AI strategy from the very start has become a defining leadership question.
The Auditor General said the Office will follow up on implementation of the report's recommendations in two years. The provincial government has accepted most of the recommendations for secure AI practices.
For public and private-sector leaders alike, the clock on the AI training gap is already running. Organizations that lack clear AI policies, training requirements, and vendor evaluation standards face the same risks the OPS audit exposed. HR leaders should consider whether their organization has addressed these gaps or is repeating them.
Learn more about AI for Human Resources or explore the AI Learning Path for CHROs to understand how to build governance frameworks that match your organization's AI adoption.
Your membership also unlocks:
